Skip to main content

Intro to Deletion Requests

Both the GDPR and the CCPA allow individuals to request the deletion of their personal information, unless exceptions apply. DataGrail supports the ability to 'soft' or 'hard' delete this personal information for our Customers.

Data Deletion Under CCPA

In the California Consumer Privacy Act (CCPA), the right to delete data is defined as:

“The right to delete personal information held by businesses and by extension, a business’s service provider;”

Below are common exceptions to the right to deletion:

  • Transactional: Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer
  • Security: Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity
  • Errors: Debug to identify and repair errors that impair existing intended functionality
  • Free Speech: Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law
  • CalECPA Compliance: Comply with the California Electronic Communications Privacy Act
  • Research in the Public Interest: Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent
  • Expected Internal Use: To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business
  • Legal Compliance: Comply with a legal obligation
  • Other Internal Uses: Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information

Soft Delete vs. Hard Delete

Within the DataGrail configuration there is the possibility of something called a ‘soft’ delete, in which data associated with the user is white-listed or de-identified. This functionality is based on the access to do so within a system and the fields that allow this kind of ‘soft’ deletion. A ‘hard’ deletion is defined as data being deleted from the database via API.

Standard Process within DataGrail is for all deletion to fall under the ‘hard delete’ category. This is adjustable based on customer preference in conjunction with the limitations defined above.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.